[Certificat] Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9

BEF Certificat, Linux, News, Zimbra

 

Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9
Article original Publié le : 11 août 2018

Mise a jour le : 30 novembre 2019

 

Suite a la mise a jour de mon serveur et au renouvellement du certificat, je mets a jour la procédure moins confuse que la précédente.

 

/!\ Petit rappel, pour générer un certificat avec Let’s Encrypt, il faut que le port 443 soit ouvert et non utilisé.

Se connecter en user zimbra puis stopper le service proxy

# su - zimbra
$ zmproxyctl stop

 

Revenir sur son user ou root puis générer le certificat

# ./opt/letsencrypt/letsencrypt-auto certonly --standalone -d nom_du_serveur_mail

Pour validation, cela renverra

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nom_du_serveur_mail/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nom_du_serveur_mail/privkey.pem
Your cert will expire on 2018-11-09. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

Créer le root-ca

# vim /tmp/root-ca.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

 

Copier les fichiers générés par Let’s Encrypt dans /tmp, puis créer la chaîne de certification.

# cp /etc/letsencrypt/live/nom_du_serveur_mail/* /tmp
# cd /tmp
# cat chain.pem root-ca.pem > chain-root-ca.pem

 

Sauvegarder le précédent certificat, renommer les fichiers,copier le nouveau certificat et mettre les droits.

# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
# mv cert.pem commercial.crt
# mv chain-root-ca.pem chain.txt
# cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
# chown zimbra.zimbra /tmp/*.crt
# chmod 666 /tmp/*.crt

 

Puis se reconnecter avec le user Zimbra et finaliser le déploiement du certificat et redémarrer les services.

$ su - zimbra
$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt
$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt
$ zmcontrol restart

 

Pour vérifier le certificat

# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
SubjectAltName=nom_du_serveur_mail - imapd: /opt/zimbra/conf/imapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 

SubjectAltName=nom_du_serveur_mail - ldap: /opt/zimbra/conf/slapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 SubjectAltName=nom_du_serveur_mail - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 SubjectAltName=nom_du_serveur_mail - mta: /opt/zimbra/conf/smtpd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 SubjectAltName=nom_du_serveur_mail - proxy: /opt/zimbra/conf/nginx.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=nom_du_serveur_mail issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 

 

22/06/2019 : Ajout d’un petit script qui regroupe toute les commandes.
Pré-requis: Avoir le root-ca en local et verifier le chemin du repertoire let’s encrypt.

# ./renew_cert_zimbra.sh
#!/bin/bash
su zimbra /opt/zimbra/bin/zmproxyctl stop

/opt/letsencrypt/certbot-auto certonly
cp /root/root-ca.pem /tmp
cp /etc/letsencrypt/live/server-mail.domaine.tld/* /tmp
cd /tmp
cat chain.pem root-ca.pem > chain-root-ca.pem
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
mv cert.pem commercial.crt
mv chain-root-ca.pem chain.txt
cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt"
su - zimbra -c "/opt/zimbra/bin/zmcontrol restart"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr viewdeployedcrt"

echo ""
echo "Verification de la date du certificat"
echo ""
echo | openssl s_client -servername server-mail.domaine.tld -connect server-mail.domaine.tld:443 2>/dev/null | openssl x509 -noout -dates

A l’execution:

Stopping proxy...done.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/server-mail.domaine.tld.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/server-mail.domaine.tld/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/server-mail.domaine.tld/privkey.pem
   Your cert will expire on 2019-09-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'
Valid certificate chain: /tmp/commercial.crt: OK
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer server-mail.domaine.tld...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer server-mail.domaine.tld...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/c1d601f8.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c1d601f8.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Host server-mail.domaine.tld
        Stopping zmconfigd...Done.
        Stopping imapd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host server-mail.domaine.tld
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting dnscache...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting memcached...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting opendkim...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.
        Starting imapd...Done.
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT
subject= /CN=server-mail.domaine.tld
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
SubjectAltName=server-mail.domaine.tld

Verification de la date du certificat

notBefore=Jun 21 20:56:08 2019 GMT
notAfter=Sep 19 20:56:08 2019 GMT

 

30/11/2019 : Suite au renouvellement du certificat est apparu une nouvelle option, il faut choisir standalone et entrer le fqdn complet.

 

 

 

Rating: 5.0/5. From 5 votes.
Please wait...
Articles lus : 2 986

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.